| tbyfield on Sat, 6 Jun 1998 22:14:32 +0200 (MET DST) | 
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| <nettime> RISKS DIGEST 19.78 [excerpted] | 
[Heavily excerpted for redistribution on nettime. All "<...>" are mine. For a more detailed explanation of the Indian nuclear plant hack, see http://www.antionline.com/SpecialReports/milworm/hack.jpg (a jpeg).-T] RISKS-LIST: Risks-Forum Digest Thursday 4 June 1998 Volume 19 : Issue 78 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://catless.ncl.ac.uk/Risks/19.78.html Contents: <...> Senate talks martial law and Y2K; Indian nuke-hackers (Declan McCullagh) <...> Texas accent required for voice recognition in UK (Mich Kabay) <...> Referer-log security hole (Jorn Barger) <...> Re: CzERT group of hackers ravage Czech & Slovak cyberspace (Steven Slatem) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- <...> Date: Thu, 4 Jun 1998 14:21:28 -0700 (PDT) From: Declan McCullagh <declan@well.com> Subject: Senate talks martial law and Y2K; Indian nuke-hackers http://cgi.pathfinder.com/netly/afternoon/0%2c1012%2c2038%2c00.html time.com / The Netly News / Afternoon Line, 4 Jun 1998 The Martial Plan Think the Year 2000 problem means mere elevator snafus? Try dealing with a platoon of Marines who show up in your front yard to confiscate your hoarded lentils. Sen. Robert Bennett (R-Utah) asked the deputy secretary of defense at a hearing this morning what plans the Pentagon has "in the event of a Y2K-induced breakdown of community services that might call for martial law." John Hamre replied carefully, but none too reassuringly, "We've got fundamental issues to deal with that go beyond just the Year 2000 contingency planning. And I think you're right to bring that up." Another distressing point that came up at the Senate Armed Services committee hearing was the fact that the military directs one quarter of U.S. air traffic. "You may be flying across the country and an air traffic controller may be a military guy in certain areas as opposed to it being an FAA person," Hamre said. Although the FAA's head Y2K guru assured us this afternoon that the agency will have its Y2K fixes complete by October 1998, the military appears to be in much worse shape. And other countries? "We can be sure that there will be social unrest in many parts of the world as a result of Y2K," Bennett said. For the record, though, Bennett did say, "I am not one of those who says that Y2K will automatically produce martial law," and blamed "alarmists, extremists out there on the Internet" for unnecessary scaremongering. --By Declan McCullagh/Washington Hackistan As if the accelerating arms race on the subcontinent weren't disturbing enough, a group of hackers broke into the local area network of India's Bhadha Atomic Research Center (BARC) and copied five megabytes' worth of data, including e-mail between scientists and files from India's nuclear research program. [...] [According to an article by James Glave in WiReD News, 3 Jun 1998, James interviewed the three teenage "Milw0rm" crackers (in New Zealand and England) by Internet Relay Chat. They apparently gained control over 6 of the 8 servers in *.barc.ernet, altered the BARC Web site, and deleted many files -- in protest against the Indian nuclear testing. (The BARC is worse many bytes?) They also e-mailed some of their discoveries to James. They say they are now going to take a closer look at the Pakistanis. PGN] ------------------------------ <...> Date: Wed, 3 Jun 1998 17:05:18 -0400 From: "Mich Kabay [ICSA]" <Mich_Kabay@compuserve.com> Subject: Texas accent required for voice recognition in UK According to an article in _The Guardian Weekly_ (May 10, 1998; p. 11), biometric authentication using voice recognition has hit a stumbling block because of trans-oceanic differences in accent. > Tagging Test Pines for Texas, by Alan Travis > A British experiment using an American device to monitor convicted > criminals to be introduced later this year has hit a snag -- the high-tech > "voice recognition" system only responds to a Texas drawl. > The Home Office scheme involves ordering offenders to carry dedicated > pagers with them to ensure check-ins several times a day. The author explains that the paroled convicts are supposed to respond to the request for check-in by phoning a toll-free number and identifying themselves. The biometric authentication system then authenticates their identity. I guess the system must also use automatic number identification to track their physical location (although auto-forwarding of calls poses an unmentioned threat to such a scheme). The problem occurred when the unnamed brand of voice recognition system failed to respond reliably to British accents. Seems the Texas company "trained" the system using only Texas drawls. One additional problem: if the manufacturers in Texas assume that all British people sound the same, they are in for a nasty surprise. I suspect that the variations of pronunciation and even of prosody in that tight little isle exceed the variations found in television-drenched America (not counting the wonderful flavours added by immigrants' accents). M.E. Kabay, PhD, CISSP (Kirkland, QC), Director of Education International Computer Security Association (Carlisle, PA) <http://www.icsa.net> [Quick-drawl artists need not apply. The AYES of Taxes are a pun us. PGN] ------------------------------ <...> Date: Tue, 26 May 1998 16:30:32 -0700 From: "George C. Kaplan" <gckaplan@gangrene.net.berkeley.edu> Subject: Re: Failure modes when the power fails (Weaver, RISKS-19.76) In RISKS-19.76, Nicholas C. Weaver described various failure modes in the CS department during the power failure that hit UC Berkeley on 19 May. The entire campus network was, of course, offline during this period, and all the major network equipment was turned off to prevent damage due to surges when the power returned. When it became apparent that the power wouldn't come back before the end of the working day the network support personnel went home, leaving instructions with the skeleton operations crew to page them when the power came back on. By now we all know about that *other* little problem that afternoon. Because our pagers weren't working, we didn't hear that power had returned until someone happened to call in to work to check. So restoration of network operations took about an hour longer than it would have if Galaxy IV hadn't failed. George C. Kaplan, Communication & Network Services, University of California at Berkeley 1-510-643-0496 gckaplan@ack.berkeley.edu ------------------------------ <...> Date: Wed, 27 May 1998 17:14:23 -0500 From: jorn@mcs.com (Jorn Barger) Subject: Referer-log security hole On 11 May, CNet reported a security hole with the "My Excite" web 'portal', where a subscriber's private ID (effectively their private password) may show up in the referer-log of the next site they visit. The article is at: <URL:http://www.news.com/News/Item/0,4,21994,00.html> ...and I doublechecked it today with "Pascal's Header Echo" at <URL:http://echo.znet.de:8888/> -- by pasting the Pascal URL into my Netscape Location Bar, Pascal *or anyone* will see much more in my headers than they ought: === I. Your Browser sent the following request to this server: GET / HTTP/1.0 Referer: http://my.excite.com/?uid=12345ABC654321A0 Connection: Keep-Alive User-Agent: Mozilla/4.03 (Macintosh; I; PPC, Nav) Host: echo.znet.de:8888 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 === I've changed the "uid" to a random equivalent, but anyone who found it in their Referer-log would gain full access to my customized Excite data. I don't remember even seeing this discussed, but presumably it applies just as well if you've been browsing pornography, etc, or even looking at an HTML file in your local filesystem... it would happily deliver up the full path to that file. [Added note:] It gets worse and worse: Going to Altavista and querying "+my.excite.com.uid" turns up 200 pages, many with usable My Excite passwords. I EDIT THE NET: <URL:http://www.mcs.net/~jorn/html/weblogs/weblog.html> ------------------------------ <...> Date: Wed, 03 Jun 1998 21:57:18 +0200 From: Steven Slatem <steven.slatem@intellitech-media.cz> Subject: Re: CzERT group of hackers ravage Czech & Slovak cyberspace (R 19 77) Herewith are the links, mistakenly omitted in the last RISKS posting, to the full story "CzERT lives on": http://www.intellitech-media.cz/public-access/nbisn/19980524-75x.htm Central & East European Hack Archive/CzERT Hack Archive: http://www.intellitech-media.cz/public-access/cee-hack-archive/czert-hack-ar chive The author (me) welcomes your comments, questions and opinions in regards to this story as well as the last posting to RISKS which contained points exclusive to that posting. - Steven Slatem, Editor-In-Chief, Networked Business & Information Security News (NBISN), IntelliTech Media, Inc. http://www.intellitech-media.cz [When including URLs in RISKS submissions, please remember to use only long-term URLs as in the case of these archival ones. TNX. PGN] ------------------------------ Date: 31 Mar 1998 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The RISKS Forum is a MODERATED digest. Its Usenet equivalent is comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. Alternatively, via majordomo, SEND DIRECT E-MAIL REQUESTS to <risks-request@csl.sri.com> with one-line, SUBSCRIBE (or UNSUBSCRIBE) [with net address if different from FROM:] or INFO [for unabridged version of RISKS information] .MIL users should contact <risks-request@pica.army.mil> (Dennis Rears). .UK users should contact <Lindsay.Marshall@newcastle.ac.uk>. => The INFO file (submissions, default disclaimers, archive sites, copyright policy, PRIVACY digests, etc.) is also obtainable from http://www.CSL.sri.com/risksinfo.html ftp://www.CSL.sri.com/pub/risks.info The full info file will appear now and then in future issues. *** All contributors are assumed to have read the full info file for guidelines. *** => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line. => ARCHIVES are available: ftp://ftp.sri.com/risks or ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks [volume-summary issues are in risks-*.00] [back volumes have their own subdirectories, e.g., "cd 18" for volume 18] or http://catless.ncl.ac.uk/Risks/VL.IS.html [i.e., VoLume, ISsue]. The ftp.sri.com site risks directory also contains the most recent PostScript copy of PGN's comprehensive historical summary of one liners: get illustrative.PS ------------------------------ End of RISKS-FORUM Digest 19.78 [excerpted for redistribution on nettime-l] ************************ --- # distributed via nettime-l : no commercial use without permission # <nettime> is a closed moderated mailinglist for net criticism, # collaborative text filtering and cultural politics of the nets # more info: majordomo@desk.nl and "info nettime-l" in the msg body # URL: http://www.desk.nl/~nettime/ contact: nettime-owner@desk.nl